Re: Writing an after-queue content filter in php
Wietse Venema wrote: This is an output buffering problem. You need to flush output after each reply, perhaps by calling the flush() function. Good catch, I guess this could most likely be his problem! -- mail: tho...@gelf.net web: http://thomas.gelf.net/
Re: need to add custom header parameter/value to postfix logging.
Wietse Venema wrote: Justin Piszcz: You want: PREPEND Please note that you don't have to use regexp tables for this. It should be possible to do header PREPEND actions from MySQL etc. too, as long as you can formulate the right query. What I would like to see in the logs is something like (dream scenario): Aug 11 16:35:37 MTA9 postfix/qmgr[3885]: E472A137E2: from=nore...@somedomain.net, size=3034, nrcpt=1 (queue active), X-Info-MessageID: l6oL1rHPRUyklkQzdkW3kg If I didn't missunderstand him he already has those X-Info-MessageID headers in his mail headers, what he wants is Postfix to do is writing them to syslog. While this would probably be pretty easy with Amavis, I have no idea if and how he could do so using Postfix only. Best regards, Thomas Gelf
Re: need to add custom header parameter/value to postfix logging.
Noel Jones wrote: To log an existing header, use the header_checks WARN action. http://www.postfix.org/header_checks.5.html Thank you! The log entry would look something like: Aug 12 10:29:59 mgate2 postfix/cleanup[29258]: 7C773797ADF: warning: header X-Info-Messageid: l6oL1rHPRUyklkQzdkW3kg from client.example.com[192.168.1.123]; from=u...@example.com to=recipi...@example.org proto=ESMTP helo=[192.168.1.123] Does it automagically log the whole matching header? Or do I need to add some backreference to WARN optional text...? Regards, Thomas
Re: need to add custom header parameter/value to postfix logging.
Noel Jones wrote: The entire header (up to a sanity limit) is logged; no further action is necessary. Great, thanks again!
Re: how to have amavisd-new dkimproxy and implemented in master.cf and main.cf
http://www.google.com http://www.altavista.com/ http://www.bing.com http://www.yahoo.com http://en.wikipedia.org/wiki/Web_search_engine fake...@fakessh.eu wrote: how to have amavisd-new dkimproxy , and implemented in master.cf and main.cf
Re: Reverse DNS requirement
LuKreme wrote: On Aug 4, 2009, at 3:42, Thomas Gelf tho...@gelf.net wrote: the person who did not correctly set up the network is to be blamed, if you have equipment acting as MTA it should be configured the right way, otherwise use a relay server SHOULD be blamed? Yes. But the blame will fall on the mail admin. The mail was sent, YOU caused the server to reject it. And I have pretty good reasons for doing so. The sender does not respect written standards, established long time ago - and he is also not able to write mail to AOL, Gmail, GMX, Hotmail... So why the hell shall I accept his crap??? If you'll do so - please go on, I don't care. I'll continue to reject millions of mails a day - and I can still sleep very well...
Re: Alternative to syslog?
Srdan Dukic wrote: Is there any way to specify to Postfix to use an alternate file/daemon for logging? I am trying to create a custom application that will support email analysis in real time. In order to do this, I was hoping to feed in the Postfix logs directly, instead of just using a system such a 'tail -f' which I find to not be as robust as I would like. Ideally I would like Postfix to output its logs to a named unix fifo pipe that would be read by my daemon process. In the configuration documentation I can't find any way of specifying an alternative to syslog. Is there any way to do this? You should keep syslog, there are many reasons why it is better than just a file. But replace your syslogd with syslog-ng or rsyslog, and then write logs for your parser to a pipe. Best regards, Thomas Gelf
Re: Reverse DNS requirement
brian moore wrote: There is always the AOL Rule. Yeah, we are sometimes also using AOL as an example, even if where I live nearly nobody is using it... (Hotmail and Gmail have similar rules, I just don't know where they spell them out.) Hotmail: http://postmaster.msn.com/Guidelines.aspx Gmail: no idea, found nothing but a dummy-user-faq
Re: Reverse DNS requirement
Mikael Bak wrote: I'm currently blocking all attepmts to connect from hosts not having a valid reverse DNS name with reject_unknown_reverse_client_hostname. ... Nevermind. To make it short: Is it ok to reject such sending servers or not? :-) In my believes using reject_unknown_reverse_client_hostname is fine, I wouldn't use reject_unknown_client_hostname. The latter would reject many many SOHO-setups, but the former is a restriction we are enforcing since more than a year right now (with peaks of slightly more than 6 million delivery attempts a day - so not that large, but large enough to encounter all sorts of trouble you could run into when enabling such a setting ;-)). You will for sure have a few people complaining, but as I can tell from my experience they'll satisfied if you can explain them, why you are doing so - and why you are also helping their business partners if you are doing so. It is far, far better to reject a mail than to put it into quarantine (as you reached the required spam score as of your missing PTR). Quarantine folders are seldom checked, mail there is always on risk to be completely lost. Rejected mail usually is able to inform at least the sender - and he will for sure call someone to ask for clarification (the recipient, his admin, his ISP...). You should prepare a mail template explaining WHY you are doing so (you are helping them - a very good argument is stating that their mails will be lost in large ISP's quarantine, if they don't fix their setup). Also explaing WHAT their business partner should fix this (tell his server admin he should tell your ISP to configure a Reverse-DNS entry for their IP or use a correctly configured mail relay). Be prepared to meet missconfigured hosts, and be prepared to add exceptions to your config (Hash file, DB, whatever). Many public entities are running badly configured systems - they'll NOT fix them and your customers will insist on receiving their mail. Therefore you will need a whitelist-feature. Best regards, Thomas Gelf
Re: what is ESMTP (Nemesis)
Charles Marcus wrote: But seriously... there is nothing stopping anyone else from customizing their banner to show the same thing, right? Sure. You should keep ESTMP in your banner - the rest is up to you. Add smtpd_banner = I think ESMTP is a prehistorical protocol to your main.cd to read 220 I think ESMTP is a prehistorical protocol Lay back and wait for some nerd having fun with your response. Or save the time, enjoy the weekend, drink some beer, do some sport - get a live ;-) Cheers, Thomas
Re: Many SQL Lookups on outbounding mails
Clunk Werclick wrote: On Thu, 2009-07-23 at 13:50 +1000, Barney Desmond wrote: You need to ask yourself if this is a real problem, or something you're just imagining. Mysql generally works fine, 50,000 messages a day at 12 queries each, equates to several queries per second. This is an easy load. That is a comfort to know. My main concern was this hammering was not optimal, but it is welcome to make as many queries as it likes if it does not crash the database server. Perhaps Postgresql would be a bit more manly ? but slower ? You'll probably not note a difference. I guess MySQL will allow you to connnect() faster if using a local socket. However you should always use proxy_read_maps - so connect()-times are not so relevant. I gave a quick look at the server statistics of our MySQL instance providing Postix and Amavis config (not used as Amavis storage etc, its only purpose is providing configuration): DB uptime 250 days with an average of 300 queries per second (our reports are showing peeks of slightly more than 6 million delivery attempts a day). We are using multiple servers, but that's mostly as of disaster recovery and failover reasons - you could handle similar traffic also on a single host (using recent server hardware). A certain percentage of queries could of course be avoided if Postfix where optimized for DB usage. As we know it isn't - this design choice however keeps it flexible and simple. Best regards, Thomas Gelf
Re: Many SQL Lookups on outbounding mails
Clunk Werclick wrote: That is very reassuring Thomas, thank you. Now I don't know if I should stay with SQL or drop to maps ? It is easier to configure with SQL from a web based front end - but to get SQL to dump to flat files and Postmap is also only a few Perl lines. What is a fool to do ? :-# If you're comfortable with SQL: stay with SQL. Load should absolutely not be an issue with your estimated traffic - and even if I could tell some scary anecdotes regarding MySQL: it is pretty stable. Please also note that all my Postfix instances are using TCP, not local sockets. And it still performs very well! Dump to flat files is an option, but I don't see any reason why you should do so: it just adds one more layer of complexity to your system. If you're writing an SQL frontend you have all config right there in realtime, are not forced to reflect about possible locking issues (what happens if you run your recreate-flat-files-script simultaneously more than once etc) - and if you add another Postfix host in the future all you need to do is providing it some credentials to connect to your DB. Regards, Thomas
Re: Many SQL Lookups on outbounding mails
Clunk Werclick wrote: Thank you Thomas. I stick with Mysql and worry if I ever have to set up a server so big it fails. If that happens I have lots of £$£ and pay someone else to do it whilst I sit on beach sipping wine. Once that happens: let me know! I'll join you at the beach and configure your servers remotely. Of course it's up to you to pay for drinks and UTMS traffic ;-) I have now got proxy working on the maps too, so that is off my to be do list. Congratulations! Now I fight the recipient verification process for many many domains hosted on one Postfix - but that is a new adventure. Have fun ;-) Cheers, Thomas
Re: Verisign Cert
I assume you're using this certificate for TLS, so the answer is NO, no single mails will be encrypted - TLS is only there to allow MTA's to encrypt their transport layer. If no restrictions are configured this happens automagically if both endpoints support TLS. Best regards, Thomas Gelf Linux Addict wrote: Hello Gurus, Currently my postfix server runs with self-signed cert, but now I was asked to implement verisign cert for some of the outgoing mails. My question is when the verisign is cert installed, will all the outgoing mails such as toyahoo.com http://yahoo.com/, gmail.com http://gmail.com/ will be encrypted? Do the clients neeeds any certificate information? I am not very clear. Please throw some light.. ~LA
Re: safe etrn
Andre Hübner wrote: setup works but there is still security-problem that a client ip which is allowed for etrn is requesting mails for other domain. is there a combination of restrictions to make it safe or is an own policy-service better solution? As of ETRN works this is not to be considered a security issue. If your client issues an ETRN command for another domain it does nothing but triggering delivery attempts of mails in your queue for the named destination. Example: A - Attacker C - Customer S - Server Sending ETRN for whatever domain... +---+ ETRN domain-C.tld+---+ | A | - | S | +---++---+ ...tells you Postfix server to try to deliver what is in it's queue based on lookup / transport settings: +---+ Attempt to deliverld +---+ | S | - | C | +---+ mail for domain-C.tld +---+ So, nothing to fear here. All harmness your clients could do is stressing your Postfix queue. atrn/odmr In contrast to expactation atrn/odmr works pretty different. Is there a official Readme how to deal with this the best way? All i found are really old discussions with no clear answers. ATRN/ODMR is afaik not provided by Postfix, you could give a quick look at http://plonk.de/sw/odmr/ - however I never tried it. Regards, Thomas Gelf